Penalties under the GDPR

On the 25th May 2018, many EU countries were no ready for the implementation of the GDPR -despite having two years of preparation.

Unfortunately, it is not difficult to imagine that many private companies, as data controllers or data processors, may be facing the same situation regarding the GDPR, and hence this article explores the cost of non-compliance.

Useful? Embed this infographic on your website.

Please note, that the aim of this article is not other than, to give valuable insight about the GDPR set up for penalties. In particular, to indicate what provisions, if breached, are addressed as serious, with the imposition of the higher administrative fine, since this may give a point to start to the entities that are running against the clock.

TYPE OF PENALTIES

The GDPR provides different types of sanctions in case of non-compliance. The assessment of what is effective, proportional and dissuasive in each case will have to also reflect the objective pursued by the corrective measure chosen by the Data Protection Authority (DPA), that is either to reestablish compliance with the rules or to punish unlawful behaviour (or both).

WARNING – Art.58 (2)(a)

For a likely infringement, a warning can be used.

REPRIMAND – Art. 58 (2) (b)

In case of minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, the DPA has the option to issue a reprimand instead of a fine.

SUSPENSION OF DATA PROCESSING – Art. 58 (2) (f)

In case of an infringement, the DPA can impose the temporary or definitive ban on processing; without prejudice, to apply other corrective measures and/or administrative fine.

SUSPENSION OF DATA FLOW – Art. 58 (2) (j)

In case of an infringement, the DPA can impose the suspension of data flows to a recipient in a third country or to an international organisation; without prejudice, to apply other corrective measures and/or administrative fine.

ADMINISTRATIVE FINES – Art. 83

The Regulation prescribes two different maximum amounts of administrative fine:

Lower fine: up to 10 million Euros or in case of an undertaking, up to 2% of the total annual worldwide turnover of the preceding financial year, whichever is higher; and,

Higher fine:up to 20 million Euros or in case of an undertaking, up to 4% of the total annual worldwide turnover of the preceding financial year, whichever is higher.

Lower Administrative Fine – Art. 83(4)

The fail of the following obligations fall into this category:

The obligations of the Data Controller and Data Processor as stipulated in the following articles:

Article 8: Conditions applicable to child consent

Article 11: Processing which does not require identification

Article 25: Data Protection by design and by default

Article 39: Tasks of the Data Protection Officer

Article 42: Certification

Article 43: Certification Bodies

The obligations of the Certification Body as stipulated in the following articles:

Article 42: Certification

Article 43: Certification Bodies

The obligations of the Monitoring Body as stipulated in article 41 (4):

“(…) shall, subject to the appropriate safeguards, take the appropriate action in case of infringement of the code by the controller or processor, including suspension or exclusion of the controller or processor concerned from the code (…)”

Higher Administrative Fine – Art. 83(5)(6)

The fail of the following obligations fall into this category:

The basic principles for processing, including conditions for consent, pursuant to the following articles:

Any obligation pursuant to a Member State law adopted under Chapter IX: Provisions relating to specific processing situations e.g. processing and freedom of expression and information, processing in the context of employment, and others.

Non-compliance with an order of a temporary or definitive limitation of processing or the suspension of data flows, issued by the DPA, pursuant to article 58(2) or failure to provide access in violation to article 58(1).

Non-compliance with an order by the DPA as referred to in article 58(2) andin line with the determination criteria, be subject to the Higher Administrative Fine.

KEY POINTS TO KEEP IN MIND:

The DPA shall ensure that in each case the measure is effective, proportionate and dissuasive. For that, must follow the determination criteria set up in article 83 (2) GDPR.

Article 58 GDPR provides some guidance as to which measures the DPA might choose, in accordance with the purpose. Some of the measures may even be possible to cumulate, but it is not a must.

The imposition of the administrative fine, can be either accompanying a corrective measure (Article 58) or on its own.

The DPA, by assessing the facts of the case in light of the determination criteria, may decide that in the particular case there is a higher or a more reduced need to react with a corrective measure in the form of a fine.

Member State law may allow for or even mandate the imposition of a fine for infringement of other provisions than those mentioned in Art. 83 (4) and (6) GDPR.

It should be noticed that lower fines breaches as set out in article 83 (4) GDPR, might end up qualifying for higher fines in certain circumstances e.g., where a breach has previously been addressed and the controller or processor failed to comply with.

In line with Recital 149 GDPR, “the Member States should be able to lay down the rules on criminal penalties for infringements of the GDPR, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation.” This is allowed, as far as it does not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.

Each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

For the definition of an “undertaking”, should be noted the CJEU notion for the purposes of the application of articles 101 and 102 TFEU. An undertaking is understood to mean an economic unit, which may be formed by the parent company and all involved subsidiaries. Moreover, in line with Recital 150 GDPR, an undertaking must be understood to be the economic unit, which engages in commercial/economic activities, regardless of the legal person involved.

DPA’s shall ensure a uniform application of fines. For that, they should use the consistency mechanism in line with Article 63 GDPR.